开发者

ASP.NET: Am I safe from SQL Injection and XSS in this situation?

问答 作者:

I've a blog-driven ASP.NET website. Under the post, there is a Comment block to let readers post comments.

I've used some TextBoxes and TextArea for that.

To Prevent XSS:

开发者_如何学C

I've filtered the input by using: Server.HtmlEncode() Method (I don't care about text formatting).

To Prevent SQL-Injection:

I'm using Linq To SQL (that should be like parametrized queries I think!).

Am I Safe now?

cuz I've set ValidateRequest="false" in the page directive.

Here is the code:

ArticlesDataClasses dc = new ArticlesDataClasses();

        ArticleComment newComm = new ArticleComment()
        {
            ArticleID = int.Parse(Request.QueryString["ArticleID"]),
            CommentAuthor = Server.HtmlEncode(txtName.Text),
            CommentText = Server.HtmlEncode(txtComment.InnerHtml).Replace("\n", "<br />"),
            CommentAuthorEmail = Server.HtmlEncode(txtMail.Text),
            CommentTime = DateTime.Now,
            Enabled = false
        };

        dc.ArticleComments.InsertOnSubmit(newComm);
        dc.SubmitChanges();

Thanks..

Parameters and encoding are the major ones, but you also may want to take into cross-site request attack, and prevent posting if the referrer isn't your site:

http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx

继续阅读:asp.netsql-injectionxss

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9